Challenge:

Currently, our plugin does not support OAuth-based access control for BigQuery data sources. This limitation prevents us from enforcing granular, user-level access to data directly within BigQuery.

User Pain:

As a workaround, users are forced to implement complex permission schemes—such as aligning data source permissions with folder structures or mapping access to team membership within an instance. These workarounds introduce maintenance overhead, reduce flexibility, and increase the risk of misconfigured access.

Proposed Solution:

We would like BigQuery data sources to support OAuth passthrough, allowing dashboards and queries to inherit the viewer’s BigQuery permissions. This would ensure that users only see the data they are authorized to access according to their identity in the organization’s Google Cloud environment.

First Step:

As an initial step, we propose implementing OAuth passthrough for BigQuery using the same patterns already established in other plugin integrations. This approach should allow us to validate the approach incrementally while immediately delivering value to users.

Acceptance criteria

• Grafana users can authenticate with BigQuery using their individual Google identities via OAuth 2.0.
• The plugin uses the authenticated user’s OAuth token to query BigQuery on their behalf, respecting IAM roles and dataset permissions.
• Admins can toggle between service account and OAuth passthrough modes in the BigQuery datasource settings.
•  Users receive clear UI feedback for common OAuth-related issues (e.g., missing scopes, token expiration, insufficient permissions).
•  Existing users using service account credentials continue to operate without any required changes or regressions.
•  Comprehensive setup guide is provided, including steps for enabling OAuth passthrough, required scopes, and IAM configuration.